Corporate data breaches typically occur within a company’s own computers, but a new case out of New York signals a new area of entry for potential thieves — the company’s outside law partners.

Prosecutors say that three men ran an insider-trading ring using information illegally taken from mergers and acquisition firm Simpson Thatcher & Bartlett LLP. According to a criminal complaint, the three men netted $5.6 million by trading on inside information that included knowledge of Tyco International’s plans to buy Brink’s Home Security Holdings and OfficeMax’s plans to merge with Office Depot.

Steven Metro, formerly a managing clerk at Simpson Thatcher, used the firm’s computer system for information that he could steal. He then passed the information on to broker-dealer Vladimir Eydelman who traded on the information. A third unnamed man also traded on the information; he is cooperating with investigators in exchange for a plea deal.

According to the Wall Street Journal, Metro plans to plead not guilty, with one of lawyers saying, “These are only allegations. Eydelman has not commented on the criminal complaint.

Simpson Thatcher claims that it did not know about the scheme until March 19, when Metro and Eydelman first appeared in court. The firm promptly terminated Metro’s employment.

In an Internet-based world, securing trade secrets has become even more difficult. While a corporation could host the best privacy standards possible, in-house counsel should also make sure that outside counsel are also held up to the same standard.

One of the keys to ensuring trade secrets, says David Carns of @Legal Discovery, is stepping up internal controls, even encrypting documents and devices to make sure they don’t fall into the wrong hands. “Even if the device is lost or forgotten, if the device’s contents are encrypted, it will be impossible for third parties to read the encrypted data,” Carns said. “Using common techniques, such device encryption, can be enforced even on BYOD devices.”

For more on the fallout from recent corporate data breaches, check out these InsideCounsel articles: